Does anyone remember Blockbuster and Hollywood Video? I assume most of you do, but wow, doesn’t it seem like forever ago when we actually had to drive to stores to get movies to watch at home? What a drag that was!

Yet, just 15 years ago, that was the norm and those two firms were the titans of video distribution, so much so that federal regulators at the Federal Trade Commission looked to stop their hegemony through antitrust intervention. But then those firms and whatever “market power” they possessed quickly evaporated as a wave of Schumpeterian creative destruction swept through video distribution markets. Both those firms and antitrust regulators had completely failed to anticipate the tsunami of technological and marketplace changes about to hit in the form of alternative online video distribution platforms as well as the rise of smartphones and robust nationwide mobile networks.

Today, this serves as a cautionary tale of what happens when regulatory hubris triumphs over policy humility, as Trace Mitchell and I explain in this new essay for  National Review Online entitled, “The Crystal Ball of Antitrust Regulators Is Cracked.” As we note:

There is no discernable end point to the process of entrepreneurial-driven change. In fact, it seems to be proliferating rapidly. To survive, even the most successful companies must be willing to quickly dispense with yesterday’s successful business plans, lest they be steamrolled by the relentless pace of technological change and ever-shifting consumer demands. It is easy to understand why some people find it hard to imagine a time when Amazon, Apple, Facebook, and Google won’t be quite as dominant as they are today. But it was equally challenging 20 years ago to imagine that those same companies could disrupt the giants of that era.

Hopefully today’s policymakers will have a little more patience and trust competition and continued technological innovation to bring us still more wonderful video choices.

[OC] Blockbuster Video US store locations between 1986 and 2019 from r/dataisbeautiful

Yesterday, the White House Council of Economic Advisers released an important new report entitled, “Occupational Licensing: A Framework for Policymakers.” (PDF, 76 pgs.) The report highlighted the costs that outdated or unneeded licensing regulations can have on diverse portions of the citizenry. Specifically, the report concluded that:

the current licensing regime in the United States also creates substantial costs, and often the requirements for obtaining a license are not in sync with the skills needed for the job. There is evidence that licensing requirements raise the price of goods and services, restrict employment opportunities,  and make it more difficult for workers to take their skills across State lines. Too often, policymakers do not carefully weigh these costs and benefits when making decisions about whether or how to regulate a profession through licensing.

The report supported these conclusions with a wealth of evidence. In that regard, I was pleased to see that research from Mercatus Center-affiliated scholars was cited in the White House report (specifically on pg. 34). Mercatus Center scholars have repeatedly documented the costs of occupational licensing and offered suggestions for how to reform or eliminate unnecessary licensing practices. Most recently, my colleagues and I have explored the costs of licensing restrictions for new sharing economy platforms and innovators. The White House report cited, for example, the recently-released Mercatus paper on “How the Internet, the Sharing Economy, and Reputational Feedback Mechanisms Solve the ‘Lemons Problem,’” which I co-authored with Christopher Koopman, Anne Hobson, and Chris Kuiper. And it also cited a new essay by Tyler Cowen and Alex Tabarrok on “The End of Asymmetric Information.”

Moreover, along with Christopher Koopman and Matt Mitchell, I recently submitted comments to the Federal Trade Commission for a sharing economy workshop. In those comments, as well as a recent paper on the same subject, we documented how occupational licensing rules were often “captured” by affected interests and are then used to discourage new forms of competition and innovation. This harms both consumers and workers by depriving them of new and better options. Many sharing economy operations are having great success in breaking down these barriers and proving that consumers and workers do better in an environment free of unnecessary and costly licensing restrictions. This suggests that consumer welfare would be improved even more by reforming other licensing regimes.

Mercatus has published dozens of other things related to this issue, many of which I have listed down below. Just recently, in fact, we published a new paper on “Breaking Down the Barriers: Three Ways State and Local Governments Can Improve the Lives of the Poor,” by economist Steven Horwitz. The report begins by documenting how “occupational licensure laws disproportionately burden the poor by requiring them to spend significant resources just to enter a market.” This is consistent with the findings from other Mercatus reports and other academic publications.

Anyway, check out the new White House report and, if you are serious about studying the issue of occupational licensing in more detail, you’ll want to take a closer look at some of these other Mercatus Center publications on the issue. The case for occupational licensing reform is strong and non-partisan, as the release of this White House report makes clear.

Mercatus Center publications and related material on occupational licensing & barriers to entry 

• Working Papers, Filings & Testimony
  • Mercatus research paper, “Breaking Down the Barriers: Three Ways State and Local Governments Can Get Out of the Way and Improve the Lives of the Poor” by Steve Horowitz (July 21 2015).
  • Testimony before the South Carolina Health Planning Committee department of Health and Environmental Control, “Certificate-of-Need laws: Implications for South Carolina” by Christopher Koopman, Thomas Stratmann, and Mohamad Elbarasse (June 12, 2015).
  • Mercatus on Policy, “Certificate-of-Need Laws: Implications for Arkansas” by Christopher Koopman, Thomas Stratmann, and Mohamad Elbarasse (June 9, 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for West Virginia” by Christopher Koopman and Thomas Stratmann (June 2, 2015).
  • Mercatus working paper, “How the Internet, the Sharing Economy, and Reputational Feedback Mechanisms Solve the “ Lemons Problem” by Adam Thierer, Christopher Koopman, Anne Hobson, and Chris Kuiper (May 26, 2015).
  • Mercatus FTC filing, “The Sharing Economy: Issues Facing Platforms, Participants, and Regulators” by Christopher Koopman, Matthew Mitchell, and Adam Thierer (May 26, 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for Kentucky” by Christopher Koopman, Thomas Stratmann and Mohamad Elbarasse (May 26, 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for Michigan” by Christopher Koopman, Thomas Stratmann and Mohamad Elbarasse (May 19, 2015).
  • Mercatus publication, “How state CON Laws restrict Access to Health Care” by Christopher Koopman Thomas Stratmann, and Mohamad Elbarasse (May 13, 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for Missouri” by Christopher Koopman, Thomas Stratmann and Mohamad Elbarasse (May 11, 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for Georgia” by Christopher Mercatus on Policy, “Certificate-Of Need Laws: Implications for South Carolina” by Christopher Koopman and Thomas Stratmann (May 5, 2015).
  • Testimony before the Indiana Senate Commerce and Technology Committee, “Occupational Licensing Gone Wild? Why Licensing is Not Always the Answer” by Edward Timmons (April 16, 2015).
  • Koopman, Thomas Stratmann and Mohamad Elbarasse (March 31, 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for Tennessee” by Christopher Koopman and Thomas Stratmann (March 24, 2015).
  • Mercatus on Policy, “Certificate-of-Need Laws: Implications for Florida” by Christopher Koopman and Thomas Stratmann (March 3, 2015).
  • Mercatus policy recommendations, “Florida Fiscal Policy: Responsible Budgeting in a Growing State” by Randall Holcombe (February 26, 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for Virginia” by Christopher Koopman and Thomas Stratmann (February 24, 2015).
  • Mercatus working paper, “Bringing the Effects of Occupational Licensing into Focus: Optician Licensing in the United States” by Edward Timmons and Anna Mills (February 17 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for North Carolina” by Christopher Koopman and Thomas Stratmann (February 12, 2015).
  • Mercatus on Policy, “Certificate-Of Need Laws: Implications for New Hampshire” by Christopher Koopman and Thomas Stratmann (February 4, 2015).
  • Testimony before the New Hampshire House Health, Human Services and Elderly Affairs Committee, “Certificate-of-Need laws: Implications for New Hampshire” by Christopher Koopman and Thomas Stratmann (January 28, 2015).
  • Mercatus publication, “The Sharing Economy and Consumer Protection Regulation: The Case for Policy Change” by Christopher Koopman, Matthew Mitchell, and Adam Thierer (December 8, 2014).
  • Mercatus interactive publication, “40 Years of Certificate-of-Need Laws across America,” by Matthew Mitchell and Christopher Koopman (October 14, 2014).
  • Mercatus working paper, “Do Certificate-of Need Laws Increase Indigent Care?” by Thomas Stratmann and Jake Russ (July 15, 2014).
  • Mercatus working paper, “Regulatory Reform in Florida: An Opportunity for Greater Competitiveness and Economic Efficiency” by Patrick McLaughlin, Jerry Ellig, and Dima Yazji Shamoun (March 18, 2014).
  • Mercatus on policy, “A Tale of Two Labor Markets: Government Spending’s Impact on Virginia” by Keith Hall and Robert Greene, (September 20, 2013).
  • Mercatus publication, “The Pathology of Privilege: The Economic Consequences of Government Favoritism” by Matthew Mitchell, (July 8, 2012).
  • “Beyond Bailouts: What is Cronyism?” by Matthew Mitchell, (July 8, 2012).
• Journal Articles
  • Published in Econ Journal Watch, “Was Occupational Licensing Good for Minorities? A Critique of Marc Law and Mindy Marks” by Daniel B. Klein, Benjamin Powell, and Evgeny S. Vorotnikov (September 2012).
  • Published in Cato Journal, “Occupational Licensing and Asymmetric Information” by David Skarbek (Jan 2007).
• Charts and Videos
  • “The Wrath of CON | How Certificate-Of-Need Laws Affect Access to Health Care” by Matthew Mitchell (May 12, 2015).
  • “Occupational Licensing: Bad for Competition, Bad for Low-Income Workers” by Veronique de Rugy (March 25, 2014).
• Media
  • Christopher Koopman discusses certificate of need laws on The Bill LuMaye Show on WPTF in North Carolina (5/11/2015).
  • Edward Timmons and Anna Mills publish, “Short-Sighted Policy,” at S. News and World Report (2/17/15).
  • Veronique de Rugy publishes, “Free the Horse Masseuses!” in Reason Magazine (July 2014).
  • Veronique de Rugy discusses state occupational licensing on Richmond’s Morning News on WRVA in Virginia (6/6/14).
  • Veronique de Rugy publishes “Licensing laws protect special interests at the expense of opportunity,” at The Washington Examiner (3/28/14).
  • Patrick McLaughlin discusses occupational licensing on The Ed Dean Show in Florida (3/27/14).
  • Donald Boudreaux publishes “Occupational licensing: Reality differs from rhetoric,” in The Pittsburgh Tribune-Review (3/25/14).
  • Emily Washington blogs “Occupational Licensing Hurts Consumers and Limits Entrepreneurship,” at Neighborhood Effects (8/20/13).
  • Veronique de Rugy blogs “More State Occupational Licensing Law Abuse: Kentucky Edition,” at National Review’s The Corner (7/17/13).
  • Emily Washington blogs “Small steps in VA occupational licensing reform,” at Neighborhood Effects (6/25/12).

Yesterday, the Federal Trade Commission (FTC) released its long-awaited report on “The Internet of Things: Privacy and Security in a Connected World.” The 55-page report is the result of a lengthy staff exploration of the issue, which kicked off with an FTC workshop on the issue that was held on November 19, 2013.

I’m still digesting all the details in the report, but I thought I’d offer a few quick thoughts on some of the major findings and recommendations from it. As I’ve noted here before, I’ve made the Internet of Things my top priority over the past year and have penned several essays about it here, as well as in a big new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology shortly. (Also, here’s a compendium of most of what I’ve done on the issue thus far.)

I’ll begin with a few general thoughts on the FTC’s report and its overall approach to the Internet of Things and then discuss a few specific issues that I believe deserve attention.

Big Picture, Part 1: Should Best Practices Be Voluntary or Mandatory?

Generally speaking, the FTC’s report contains a variety of “best practice” recommendations to get Internet of Things innovators to take steps to ensure greater privacy and security “by design” in their products. Most of those recommended best practices are sensible as general guidelines for innovators, but the really sticky question here continued to be this: When, if ever, should “best practices” become binding regulatory requirements?

The FTC does a bit of a dance when answering that question. Consider how, in the executive summary of the report, the Commission answers the question regarding the need for additional privacy and security regulation: “Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.” But, just a few lines later, the agency (1) “reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach;” and (2) “recommends that Congress enact broad-based (as opposed to IoT-specific) privacy legislation.”

Here and elsewhere, the agency repeatedly stresses that it is not seeking IoT-specific regulation; merely “broad-based” digital privacy and security legislation. The problem is that once you understand what the IoT is all about you come to realize that this largely represents a distinction without a difference. The Internet of Things is simply the extension of the Net into everything we own or come into contact with. Thus, this idea that the agency is not seeking IoT-specific rule sounds terrific until you realize that it is actually seeking something far more sweeping: greater regulation of all online / digital interactions. And because “the Internet” and “the Internet of Things” will eventually (if they are not already) be considered synonymous, this notion that the agency is not proposing technology-specific regulation is really quite silly.

Now, it remains unclear whether there exists any appetite on Capitol Hill for “comprehensive” legislation of any variety – although perhaps we’ll learn more about that possibility when the Senate Commerce Committee hosts a hearing on these issues on February 11. But at least thus far, “comprehensive” or “baseline” digital privacy and security bills have been non-starters.

And that’s for good reason in my opinion: Such regulatory proposals could take us down the path that Europe charted in the late 1990s with onerous “data directives” and suffocating regulatory mandates for the IT / computing sector. The results of this experiment have been unambiguous, as I documented in congressional testimony in 2013. I noted there how America’s Internet sector came to be the envy of the world while it was hard to name any major Internet company from Europe. Whereas America embraced “permissionless innovation” and let creative minds develop one of the greatest success stories in modern history, the Europeans adopted a “Mother, May I” regulatory approach for the digital economy. America’s more flexible, light-touch regulatory regime leaves more room for competition and innovation compared to Europe’s top-down regime. Digital innovation suffered over there while it blossomed here.

That’s why we need to be careful about adopting the sort of “broad-based” regulatory regime that the FTC recommends in this and previous reports.

Big Picture, Part 2: Does the FTC Really Need More Authority?

Something else is going on in this report that has also been happening in all the FTC’s recent activity on digital privacy and security matters: The agency has been busy laying the groundwork for its own expansion.

In this latest report, for example, the FTC argues that

Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections… The Commission has continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.

In other words, this agency wants more authority. And we are talking about sweeping authority here that would transcend its already sweeping authority to police “unfair and deceptive practices” under Section 5 of the FTC Act. Let’s be clear: It would be hard to craft a law that grants an agency more comprehensive and open-ended consumer protection authority than Section 5. The meaning of those terms — “unfairness” and “deception” — has always been a contentious matter, and at times the agency has abused its discretion by exploiting that ambiguity.

Nonetheless, Sec. 5 remains a powerful enforcement tool for the agency and one that has been wielded aggressively in recently years to police digital economy giants and small operators alike. Generally speaking, I’m alright with most Sec. 5 enforcement, especially since that sort of retrospective policing of unfair and deceptive practices is far less likely to disrupt permissionless innovation in the digital economy. That’s because it does not subject digital innovators to the sort of “Mother, May I” regulatory system that European entrepreneurs face. But an expansion of the FTC’s authority via more “comprehensive, baseline” privacy and security regulatory policies threatens to convert America’s more sensible bottom-up and responsive regulatory system into the sort of innovation-killing regime we see on the other side of the Atlantic.

Here’s the other thing we can’t forget when it comes to the question of what additional authority to give the FTC over privacy and security matters: The FTC is not the end of the enforcement story in America. Other enforcement mechanism exist, including: privacy torts, class action litigation, property and contract law, state enforcement agencies, and other targeted privacy statutes. I’ve summarized all these additional enforcement mechanisms in my recent law review article referenced above. (See section VI of the paper.)

FIPPS, Part 1: Notice & Choice vs. Use-Based Restrictions

Next, let’s drill down a bit and examine some of the specific privacy and security best practices that the agency discusses in its new IoT report.

The FTC report highlights how the IoT creates serious tensions for many traditional Fair Information Practice Principles (FIPPs). The FIPPs generally include: (1) notice, (2) choice, (3) purpose specification, (4) use limitation, and (5) data minimization. But the report is mostly focused on notice and choice as well as data minimization.

When it comes to notice and choice, the agency wants to keep hope alive that it will still be applicable in an IoT world. I’m sympathetic to this effort because it is quite sensible for all digital innovators to do their best to provide consumers with adequate notice about data collection practices and then give them sensible choices about it. Yet, like the agency, I agree that “offering notice and choice is challenging in the IoT because of the ubiquity of data collection and the practical obstacles to providing information without a user interface.”

The agency has a nuanced discussion of how context matters in providing notice and choice for IoT, but one can’t help but think that even they must realize that the game is over, to some extent. The increasing miniaturization of IoT devices and the ease with which they suck up data means that traditional approaches to notice and choice just aren’t going to work all that well going forward. It is almost impossible to envision how a rigid application of traditional notice and choice procedures would work in practice for the IoT.

Relatedly, as I wrote here last week, the Future of Privacy Forum (FPF) recently released a new white paper entitled, “A Practical Privacy Paradigm for Wearables,” that notes how FIPPs “are a valuable set of high-level guidelines for promoting privacy, [but] given the nature of the technologies involved, traditional implementations of the FIPPs may not always be practical as the Internet of Things matures.” That’s particularly true of the notice and choice FIPPS.

But the FTC isn’t quite ready to throw in the towel and make the complete move toward “use-based restrictions,” as many academics have. (Note: I have lengthy discussion of this migration toward use-based restrictions in my law review article in section IV.D.). Use-based restrictions would focus on specific uses of data that are particularly sensitive and for which there is widespread agreement they should be limited or disallowed altogether. But use-based restrictions are, ironically, controversial from both the perspective of industry and privacy advocates (albeit for different reasons, obviously).

The FTC doesn’t really know where to go next with use-based restrictions. The agency says that, on one hand, “has incorporated certain elements of the use-based model into its approach” to enforcement in the past. On the other hand, the agency says it has concerns “about adopting a pure use-based model for the Internet of Things,” since it may not go far enough in addressing the growth of more widespread data collection, especially of more sensitive information.

In sum, the agency appears to be keeping the door open on this front and hoping that a best-of-all-worlds solution miraculously emerges that extends both notice and choice and use-based limitations as the IoT expands. But the agency’s new report doesn’t give us any sort of blueprint for how that might work, and that’s likely for good reason: because it probably won’t work at that well in practice and there will be serious costs in terms of lost innovation if they try to force unworkable solutions on this rapidly evolving marketplace.

FIPPS, Part 2: Data Minimization

The biggest policy fight that is likely to come out of this report involves the agency’s push for data minimization. The report recommends that, to minimize the risks associated with excessive data collection:

companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. However, recognizing the need to balance future, beneficial uses of data with privacy protection, staff’s recommendation on data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect. If a company determines that none of these options will fulfill its business goals, it can seek consumers’ consent for collecting additional, unexpected categories of data…

This is an unsurprising recommendation in light of the fact that, in previous major speeches on the issue, FTC Chairwoman Edith Ramirez argued that, “information that is not collected in the first place can’t be misused,” and that:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the off chance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value.

In my forthcoming law review article, I discussed the problem with such reasoning at length and note:

if Chairwoman Ramirez’s approach to a preemptive data use “commandment” were enshrined into a law that said, “Thou shall not collect and hold onto personal information unnecessary to an identified purpose.” Such a precautionary limitation would certainly satisfy her desire to avoid hypothetical worst-case outcomes because, as she noted, “information that is not collected in the first place can’t be misused,” but it is equally true that information that is never collected may never lead to serendipitous data discoveries or new products and services that could offer consumers concrete benefits. “The socially beneficial uses of data made possible by data analytics are often not immediately evident to data subjects at the time of data collection,” notes Ken Wasch, president of the Software & Information Industry Association. If academics and lawmakers succeed in imposing such precautionary rules on the development of IoT and wearable technologies, many important innovations may never see the light of day.

FTC Commissioner Josh Wright issued a dissenting statement to the report that lambasted the staff for not conducting more robust cost-benefit analysis of the new proposed restrictions, and specifically cited how problematic the agency’s approach to data minimization was. “[S]taff merely acknowledges it would potentially curtail innovative uses of data. . . [w]ithout providing any sense of the magnitude of the costs to consumers of foregoing this innovation or of the benefits to consumers of data minimization,” he says. Similarly, in her separate statement, FTC Commissioner Maureen K. Ohlhausen worried about the report’s overly precautionary approach on data minimization when noting that, “without examining costs or benefits, [the staff report] encourages companies to delete valuable data — primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive,” she concludes.

Regardless, the battle lines have been drawn by the FTC staff report as the agency has made it clear that it will be stepping up its efforts to get IoT innovators to significantly slow or scale back their data collection efforts. It will be very interesting to see how the agency enforces that vision going forward and how it impacts innovation in this space. All I know is that the agency has not conducted a serious evaluation here of the trade-offs associated with such restrictions. I penned another law review article last year offering “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” that they could use to begin that process if they wanted to get serious about it.

The Problem with the “Regulation Builds Trust” Argument

One of the interesting things about this and previous FTC reports on privacy and security matters is how often the agency premises the case for expanded regulation on “building trust.” The argument goes something like this (as found on page 51 of the new IoT report): “Staff believes such legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

This is one of those commonly-heard claims that sounds so straight-forward and intuitive that few dare question it. But there are problems with the logic of the “we-need-regulation-to-build-trust-and boost adoption” arguments we often hear in debates over digital privacy.

First, the agency bases its argument mostly on polling data. “Surveys also show that consumers are more likely to trust companies that provide them with transparency and choices,” the report says. Well, of course surveys say that! It’s only logical that consumers will say this, just as they will always say they value privacy and security more generally when asked. You might as well ask people if they love their mothers!

But what consumers claim to care about and what they actually do in the real-world are often two very different things. In the real-world, people balance privacy and security alongside many other values, including choice, convenience, cost, and more. This leads to the so-called “privacy paradox,” or the problem of many people saying one thing and doing quite another when it comes to privacy matters. Put simply, people take some risks — including some privacy and security risks — in order to reap other rewards or benefits. (See this essay for more on the problem with most privacy polls.)

Second, online activity and the Internet of Things are both growing like gangbusters despite the privacy and security concerns that the FTC raises. Virtually every metric I’ve looked at that track IoT activity show astonishing growth and product adoption, and projections by all the major consultancies that have studied this consistently predict the continued rapid growth of IoT activity. Now, how can this be the case if, as the FTC claims, we’ll only see the IoT really take off after we get more regulation aimed at bolstering consumer trust? Of course, the agency might argue that the IoT will grow at an even faster clip than it is right now, but there is no way to prove one way or the other. In any event, the agency cannot possible claim that the IoT isn’t already growing at a very healthy clip — indeed, a lot of the hand-wringing the staff engages in throughout the report is premised precisely on the fact that the IoT is exploding faster that our ability to keep up with it!! In reality, it seems far more likely that cost and complexity are the bigger impediments to faster IoT adoption, just as cost and complexity have always been the factors weighing most heavily on the adoption of other digital technologies.

Third, let’s say that the FTC is correct – and it is – when it says that a certain amount of trust is needed in terms of IoT privacy and security before consumers are willing to use more of these devices and services in their everyday lives. Does the agency imagine that IoT innovators don’t know that? Are markets and consumers completely irrational? The FTC says on page 44 of the report that, “If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust.” Well, if such a mismatch does exist, then the assumption should be that consumers can and will push back, or seek out new and better options. And other companies should be able to sense the market opportunity here to offer a more privacy-centric offering for those consumers who demand it in order to win their trust and business.

Finally, and perhaps most obviously, the problem with the argument that increased regulation will help IoT adoption is that it ignores how the regulations put in place to achieve greater “trust” might become so onerous or costly in practice that there won’t be as many innovations for us to adopt to begin with! Again, regulation — even very well-intentioned regulation — has costs and trade-offs.

In any event, if the agency is going to premise the case for expanded privacy regulation on this notion, they are going to have to do far more to make their case besides simply asserting it.

Once Again, No Appreciation of the Potential for Societal Adaptation

Let’s briefly shift to a subject that isn’t discussed in the FTC’s new IoT report at all.

Regular readers may get tired of me making this point, but I feel it is worth stressing again: Major reports and statements by public policymakers about rapidly-evolving emerging technologies are always initially prone to stress panic over patience. Rarely are public officials willing to step-back, take a deep breath, and consider how a resilient citizenry might adapt to new technologies as they gradually assimilate new tools into their lives.

That is really sad, when you think about it, since humans have again and again proven capable of responding to technological change in creative ways by adopting new personal and social norms. I won’t belabor the point because I’ve already written volumes on this issue elsewhere. I tried to condense all my work into a single essay entitled, “Muddling Through: How We Learn to Cope with Technological Change.” Here’s the key takeaway:

humans have exhibited the uncanny ability to adapt to changes in their environment, bounce back from adversity, and learn to be resilient over time. A great deal of wisdom is born of experience, including experiences that involve risk and the possibility of occasional mistakes and failures while both developing new technologies and learning how to live with them. I believe it wise to continue to be open to new forms of innovation and technological change, not only because it provides breathing space for future entrepreneurialism and invention, but also because it provides an opportunity to see how societal attitudes toward new technologies evolve — and to learn from it. More often than not, I argue, citizens have found ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes.

Again, you almost never hear regulators or lawmakers discuss this process of individual and social adaptation even though they must know there is something to it. One explanation is that every generation has their own techno-boogeymen and lose faith in the ability of humanity to adapt to it.

To believe that we humans are resilient, adaptable creatures should not be read as being indifferent to the significant privacy and security challenges associated with any of the new technologies in our lives today, including IoT technologies. Overly-exuberant techno-optimists are often too quick to adopt a “Just-Get-Over-It!” attitude in response to the privacy and security concerns raised by others. But it is equally unforgivable for those who are worried about those same concerns to utterly ignore the reality of human adaptation to new technologies realities.

Why are Educational Approaches Merely an Afterthought?

One final thing that troubled me about the FTC report was the way consumer and business education is mostly an afterthought. This is one of the most important roles that the FTC can and should play in terms of explaining potential privacy and security vulnerabilities to the general public and product developers alike.

Alas, the agency devotes so much ink to the more legalistic questions about how to address these issues, that all we end up with in the report is this one paragraph on consumer and business education:

Consumers should understand how to get more information about the privacy of their IoT devices, how to secure their home networks that connect to IoT devices, and how to use any available privacy settings. Businesses, and in particular small businesses, would benefit from additional information about how to reasonably secure IoT devices. The Commission staff will develop new consumer and business education materials in this area.

I applaud that language, and I very much hope that the agency is serious about plowing more effort and resources into developing new consumer and business education materials in this area. But I’m a bit shocked that the FTC report didn’t even bother mentioning the excellent material already available on the “On Guard Online” website it helped created with a dozen other federal agencies. Worse yet, the agency failed to highlight the many other privacy education and “digital citizenship” efforts that are underway today to help on this front. I discuss those efforts in more detail in the closing section of my recent law review article.

I hope that the agency spends a little more time working on the development of new consumer and business education materials in this area instead of trying to figure out how to craft a quasi-regulatory regime for the Internet of Things. As I noted last year in this Maine Law Review article, that would be a far more productive use of the agency’s expertise and resources. I argued there that “policymakers can draw important lessons from the debate over how best to protect children from objectionable online content” and apply them to debates about digital privacy. Specifically, after a decade of searching for legalistic solutions to online safety concerns — and convening a half-dozen blue ribbon task forces to study the issue — we finally saw a rough consensus emerge that no single “silver-bullet” technological solutions or legal quick-fixes would work and that, ultimately, education and empowerment represented the better use of our time and resources. What was true for child safety is equally true for privacy and security for the Internet of Things.

It’s a shame the FTC staff squandered the opportunity it had with this new report to highlight all the good that could be done by getting more serious about focusing first on those alternative, bottom-up, less costly, and less controversial solutions to these challenging problems. One day we’ll all wake up and realize that we spent a lost decade debating legalistic solutions that were either technically unworkable or politically impossible. Just imagine if all the smart people who were spending all their time and energy on those approaches right now were instead busy devising and pushing educational and empowerment-based solutions instead!

One day we’ll get there. Sadly, if the FTC report is any indication, that day is still a ways off.

Writing last week in The Wall Street Journal, Matt Moffett noted how many European countries continue to struggle with chronic unemployment and general economic malaise.  (“New Entrepreneurs Find Pain in Spain“) It’s a dismal but highly instructive tale about how much policy incentives matter when it comes to innovation and job creation–especially the sort of entrepreneurial activity from small start-ups that is so essential for economic growth. Here’s the key takeaway:

Scarce capital, dense bureaucracy, a culture deeply averse to risk and a cratered consumer market all suppress startups in Europe. The Global Entrepreneurship Monitor, a survey of startup activity, found the percentage of the adult population involved in early stage entrepreneurial activity last year was just 5% in Germany, 4.6% in France and 3.4% in Italy. That compares with 12.7% in the U.S. Even once they are established, European businesses are, on average, smaller and slower growing than those in the U.S.  The problems of entrepreneurs are one reason Europe’s economy continues to struggle after six years of crisis. The European Union this month cut its growth forecasts for the region for this year and next, citing weaker than expected performance in the eurozone’s biggest economies, Germany, France and Italy. This week, the Organization for Economic Cooperation and Development delivered its own pessimistic appraisal, with chief economist Catherine Mann saying, “The eurozone is the locus of the weakness in the global economy.” […] Europe’s unemployment crisis may be eroding a deeply ingrained fear of failure that is a bigger impediment to entrepreneurship on the Continent than in other regions, according to academic surveys. “Fear of failure is less of an issue because the whole country is a failure, and most of us are out of business or have a hard time paying our bills,” said Nick Drandakis of Athens, who in 2011 founded Taxibeat, an app that provides passenger ratings on taxi drivers.

I found Moffett’s article interesting because I write a lot about entrepreneurialism, innovation, long-term economic growth, and the public policies that facilitate all these things. This has also been the subject of an excellent Cato Institute online forum about “Reviving Economic Growth,” which asked leading economists and policy experts to answer the following question: “If you could wave a magic wand and make one or two policy or institutional changes to brighten the U.S. economy’s long-term growth prospects, what would you change and why?”

Many of the entries in that forum dealt with the importance of removing barriers to new start-ups so that entrepreneurs can help spark new innovations and spur economic growth. My entry, which was entitled, “Embracing a Culture of Permissionless Innovation,” kicked off with a quote from the great Joel Mokyr: “Why does economic growth… occur in some societies and not in others?” I noted that “debate has raged among generations of economists, historians, and business theorists about that question and the specific forces and policies that prompt long-term growth.” Generally speaking, however, there actually exists a great deal of consensus about the importance of small business entrepreneurship and the need for openness to change if an economy is going to grow. (See the studies from Ian Hathaway and Robert E. Litan that I cite in my essay among many others.)

Which brings us back to the situation in Europe. It seems clear that strong cultural and legal impediments to change exist in many European countries and that they discourage risk-taking and prevent the formation of new ventures. Many of us here in the United States worry about similar impediments and their impact on entrepreneurialism, but as those statistics in Moffett’s article make clear, the situation in Europe is far more grim. While some European policymakers seem willing to acknowledge that the deck has been stacked against innovators across the continent, few seem willing to embrace a comprehensive liberalization agenda to begin clearing away the legal and regulatory impediments that are negatively affecting startups and creating economic stagnation there. The primary reason for that goes back to the values and attitudes problem that Moffett highlighted in his article: When a country or continent’s culture is so deeply averse to risk and the possibility of disruptions or failures, then the exact sort of risk-taking that is so essential to economic growth will become increasingly difficult.

This was the focus of my Cato essay and it is what I meant by embracing a culture of permissionless innovation. As I noted in my essay, “many scholars and policymakers [often] speak of innovation policy as if it is simply a Goldilocks-like formula that entails tweaking various policy dials to get innovation just right,” which leads them to propose an endless litany of programs and policies to jump-start innovation and economic growth. But this puts the cart before the horse. Getting values right first is what really matters. Here is how I put it in my essay:

For innovation and growth to blossom, entrepreneurs need a clear green light from policymakers that signals a general acceptance of risk-taking—especially risk-taking that challenges existing business models and traditional ways of doing things. We can think of this disposition as permissionless innovation and if there was one thing every policymaker could do to help advance long-term growth, it is to first commit themselves to advancing this ethic and making it the lodestar for all their future policy pronouncements and decisions.

While there are limits to how much policymakers can influence these attitudes and values, any serious effort to foster the positive factors that give rise to expanded entrepreneurial opportunities must begin with an appreciation of how growth-oriented innovation policy begins with the proper policy disposition toward risk-taking and the possibility of significant economic and cultural disruption. As I put it in my recent book on the importance  Permissionless Innovation as a vision for innovation and growth, “living in constant fear of worst-case scenarios—and premising public policy upon them—means that best-case scenarios will never come about. When public policy is shaped by precautionary principle reasoning, it poses a serious threat to technological progress, economic entrepreneurialism, social adaptation, and long-run prosperity.”

But let’s be clear about what the “permissionless innovation” vision is all about, because it is not the same as anarchy. As I noted in the Cato essay:

Permissionless innovation is not an absolutist position that rejects any role for government. Rather, it is an aspirational goal that stresses the benefit of “innovation allowed” as the default position to begin policy debates. It switches the burden of proof to those who favor preemptive regulation and asks them to explain why ongoing trial-and-error experimentation with new technologies or business models should be disallowed.

Again, it’s about getting attitudes and incentives right. Specifically, it’s about being willing to embrace risk-taking and even failure, because that is the only way you get growth. As the old adage goes, “Nothing ventured, nothing gained.”  And our recent experience with the Internet and the Information Revolution offers the perfect case study of why getting values right and embracing a culture of permissionless innovation matters so much. As I noted in my Cato essay,

permissionless innovation powered the explosive growth of the Internet and America’s information technology sectors (computing, software, Internet services, etc.) over the past two decades. Those sectors have ushered in a generation of innovations and innovators that are now the envy of the world. This happened because the default position for the digital economy was permissionless innovation. No one had to ask anyone for the right to develop these new technologies and platforms.

The U.S. got policy right by getting our values right first. Thanks to a series of very smart pronouncements and decisions in the early and mid-1990s (all detailed in my essay and this Medium essay), digital age entrepreneurs were given a clear green light to take risks without fear of a political backlash.

Unfortunately for European innovators, a different message was sent from the start, with layers of “data directives” and other red tape encumbering new ventures. As a result, it’s hard today to name many innovators in this arena which originated in Europe. Instead, Europe’s household Internet names are mostly American companies. Europe is hoping to reverse that with the rise of the Internet of Things, since many European companies appear poised to become global leaders on that front. For that happen, however, the continent’s attitudes toward risk-taking will have to evolve to accommodate these highly disruptive technologies.

In particular, the Internet of Things will raise a variety of privacy and security-related concern (see my new 93-page paper on this), as well as economic-related fears associated with automation and job disruption. These are serious issues that deserve serious consideration and constructive solutions. But if Europe decides to put the Internet of Things revolution on hold in an attempt to preemptively plan for every theoretical downside, then they will miss the boat again and potentially lose many of the amazing benefits that will accompany these new innovations. Again, if you live in fear of the future, then an innovative future won’t happen. And looking backwards and holding onto the past is no way to grow an economy or achieve long-term prosperity.

The Mercatus Center at George Mason University has just released my latest working paper, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation.” The “Internet of Things” (IoT) generally refers to “smart” devices that are connected to both the Internet and other devices. Wearable technologies are IoT devices that are worn somewhere on the body and which gather data about us for various purposes. These technologies promise to usher in the next wave of Internet-enabled services and data-driven innovation. Basically, the Internet will be “baked in” to almost everything that consumers own and come into contact with.

Some critics are worried about the privacy and security implications of the Internet of Things and wearable technology, however, and are proposing regulation to address these concerns. In my new 93-page article, I explain why preemptive, top-down regulation would derail the many life-enriching innovations that could come from these new IoT technologies. Building on a recent book of mine, I argue that “permissionless innovation,” which allows new technology to flourish and develop in a relatively unabated fashion, is the superior approach to the Internet of Things.

As I note in the paper and my earlier book, if we spend all our time living in fear of the worst-case scenarios — and basing public policies on them — then best-case scenarios can never come about. As the old saying goes: nothing ventured, nothing gained. Precautionary principle-based regulation paralyzes progress and must be avoided.  We instead need to find constructive, “bottom-up” solutions to the privacy and security risks accompanying these new IoT technologies instead of top-down controls that would limit the development of life-enriching IoT innovations.

The better alternative is to deal with concerns creatively as they develop, using a balanced, layered approach  involving many different solutions, including: educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, torts and products liability law, and targeted enforcement of existing legal standards as needed.

Generally speaking, patience, humility, and forbearance by policymakers is crucial to allowing greater innovation and consumer choice in this arena. Importantly, policymakers should not forget that societal and individual adaptation will play a role here, just as it has during so many other turbulent technological transformations.

This article can be downloaded on my Mercatus Center page, on SSRN, or at Research Gate. I am hoping to find a law or policy journal interested in publishing this paper soon. If you with a journal and are interested, please contact me. [UPDATE 12/3/14: This paper has been accepted for publication in the Richmond Journal of Law & Technology, Vol. 21, Issue 6 (2015).]

Finally, if you are interested in this topic, you might want to flip through these slides I prepared for a presentation on this topic that I made at the Federal Communications Commission in September:

The sharing economy is growing faster than ever and becoming a hot policy topic these days. I’ve been fielding a lot of media calls lately about the nature of the sharing economy and how it should be regulated. (See latest clip below from the Stossel show on Fox Business Network.) Thus, I sketched out some general thoughts about the issue and thought I would share them here, along with some helpful additional reading I have come across while researching the issue. I’d welcome comments on this outline as well as suggestions for additional reading. (Note: I’ve also embedded some useful images from Jeremiah Owyang of Crowd Companies.)

1) Just because policymakers claim that regulation is meant to protect consumers does not mean it actually does so.

1. Cronyism/ Rent-seeking: Regulation is often “captured” by powerful and politically well-connected incumbents and used to their own benefit. (+ Lobbying activity creates deadweight losses for society.)
2. Innovation-killing: Regulations become a formidable barrier to new innovation, entry, and entrepreneurism.
3. Unintended consequences: Instead of resulting in lower prices & better service, the opposite often happens: Higher prices & lower quality service. (Example: Painting all cabs same color destroying branding & ability to differentiate).

2) The Internet and information technology alleviates the need for top-down regulation & actually does a better job of serving consumers.

1. Ease of entry/innovation in online world means that new entrants can come in to provide better options and solve problems previously thought to be unsolvable in the absence of regulation.
2. Informational empowerment: The Internet and information technology solves old problem of lack of consumer access to information about products and services. This gives them monitoring tools to find more and better choices. (i.e., it lowers both search costs & transaction costs). (“To the extent that consumer protection regulation is based on the claim that consumers lack adequate information, the case for government intervention is weakened by the Internet’s powerful and unprecedented ability to provide timely and pointed consumer information.” – John C. Moorhouse)
3. Feedback mechanisms (product & service rating / review systems) create powerful reputational incentives for all parties involved in transactions to perform better.
4. Self-regulating markets: The combination of these three factors results in a powerful check on market power or abusive behavior. The result is reasonably well-functioning and self-regulating markets. Bad actors get weeded out.
5. Law should evolve: When circumstances change dramatically, regulation should as well. If traditional rationales for regulation evaporate, or new technology or competition alleviates need for it, then the law should adapt.

3) Sharing economy has demonstrably improved consumer welfare. It provides:

1. more choices / competition
2. more service innovation / differentiation
3. better prices
4. higher quality services  (safety & cleanliness /convenience / peace of mind)
5. Better options & conditions for workers

4) If we need to “level the (regulatory) playing field,” best way to do so is by “deregulating down” to put everyone on equal footing; not by “regulating up” to achieve parity.

1. Regulatory asymmetry is real: Incumbents are right that they are at disadvantage relative to new sharing economy start-ups.
2. Don’t punish new innovations for it: But solution is not to just roll the old regulatory regime onto the new innovators.
3. Parity through liberalization: Instead, policymakers should “deregulate down” to achieve regulatory parity. Loosen old rules on incumbents as new entrants challenge status quo.
4. “Permissionless innovation” should trump “precautionary principle” regulation: Preemptive, precautionary regulation does not improve consumer welfare. Competition and choice do better. Thus, our default position toward the sharing economy should be “innovation allowed” or permissionless innovation.
5. Alternative remedies exist: Accidents will always happen, of course. But insurance, contracts, product liability, and other legal remedies exist when things go wrong. The difference is that ex post remedies don’t discourage innovation and competition like ex ante regulation does. By trying to head off every hypothetical worst-case scenario, preemptive regulations actually discourage many best-case scenarios from ever coming about.

5) Bottom line = Good intentions only get you so far in this world.

1. Just because a law was put on the books for noble purposes, it does not mean it really accomplished those goals, or still does so today.
2. Markets, competition, and ongoing innovation typically solve problems better than law when we give them a chance to do so.

[P.S. On 9/30, my Mercatus Center colleague Matt Mitchell posted this excellent follow-up essay building on my outline and improving it greatly.]

Additional Reading

• Randolph J. May & Michael J. Horney, “The Sharing Economy: A Positive Shared Vision for the Future,” Free State Foundation, Perspectives from FSF Scholars, Vol. 9, No. 26, July 30, 2014.
• R.J. Lehmann, “The Sharing Economy Will Thrive Only If Government Doesn’t Strangle It,” Reason, August 2, 2014.
• Andrew Moylan and R.J. Lehmann, “Five Principles for Regulating the Sharing Economy,” R Street, Policy Study No. 26, July 2014.
• Eli Lehrer & Andrew Moylan, “Embracing the Peer-Production Economy,” National Affairs, 2014, p. 51-63.
• Arun Sundararajan, “Why the Government Doesn’t Need to Regulate the Sharing Economy,” Wired, October 22, 2012.
• Matthew Mitchell and Michael Farren, “If you Like Uber, You Would’ve Loved the Jitney,” LA Times, July 12, 2014.
• Daniel M. Rothschild, “How Uber and Airbnb Resurrect ‘Dead Capital,’” The Umlaut, April 9, 2014.
• Daniel M. Rothschild, “Renters and Rent-Seeking in San Francisco,” Technology Liberation Front, April 15, 2014.
• [podcast] Michael Munger on the Sharing Economy, EconTalk, July 7, 2014.
• video of Michael Munger talk on the Sharing Economy, September 25, 2014.
• John C. Moorhouse, “Consumer Protection Regulation and Information on the Internet,” in Fred E. Foldvary & Daniel B. Klein (eds), The Half-Life of Policy Rationales: How New Technology Affects Old Policy Issues (Cato Institute, 2003).
• Rachel Bostman, What’s Mine is Yours: The Rise of Collaborative Consumption (2010).
• Jeremiah Owyang, A Glossary of Emerging Terms in the Collaborative Economy, August 29, 2014

On Thursday, it was my great pleasure to present a draft of my forthcoming paper, “The Internet of Things & Wearable Technology: Addressing Privacy & Security Concerns without Derailing Innovation,” at a conference that took place at the Federal Communications Commission on “Regulating the Evolving Broadband Ecosystem.” The 3-day event was co-sponsored by the American Enterprise Institute and the University of Nebraska College of Law.

The 65-page working paper I presented is still going through final peer review and copyediting, but I posted a very rough first draft on SSRN for conference participants. I expect the paper to be released as a Mercatus Center working paper in October and then I hope to find a home for it in a law review. I will post the final version once it is released. [UPDATE:The final version of this working paper was released on November 19, 2014.]

In the meantime, however, I thought I would post the 46 slides I presented at the conference, which offer an overview of the nature of the Internet of Things and wearable technology, the potential economic opportunities that exist in this space, and the various privacy and security challenges that could hold this technological revolution back. I also outlined some constructive solutions to those concerns. I plan to be very active on these issues in coming months.

Additional Reading

• “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2012
• “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
• My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
• [Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)

I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

In mid-April, the Federal Trade Commission (FTC) requested comments regarding “the consumer privacy and security issues posed by the growing connectivity of consumer devices, such as cars, appliances, and medical devices” or the so-called “Internet of Things.” This is in anticipation of a November 21 public workshop that the FTC will be hosting on the same issue.

These issues are finally starting to catch the attention of the public and policymakers alike with the rise of wearable computing, remote home automation and monitoring technologies, smart grids, autonomous vehicles and intelligent traffic systems, and so on. The Internet of Things represents the next great wave of Internet innovation, but it also represents the next great battleground in the field of Internet policy.

I filed comments with the FTC today in this proceeding and made a few simple points about why they should proceed cautiously here. A summary of my filing follows.

Avoiding a Precautionary Principle for the Internet of Things

First, while it is unclear where the FTC is heading with this proceeding—or for that matter, whether this even a formal proceeding at all—the danger exists that it represents the beginning of a regulatory regime for a new set of information technologies that are still in their infancy. Fearing hypothetical worst-case scenarios about the misuse of some IoT technologies, some policy activists and policymakers could seek to curb or control their development.

Policymakers should avoid acting on those impulses. Simply put, the Internet of Things—like the Internet itself—should not be subjected to a precautionary principle, which would impose preemptive, prophylactic restrictions on this rapidly evolving sector to guard against every theoretical harm that could develop. Preemptive restrictions on the development of the Internet of Things could retard technological innovation and limit the benefits that flow to consumers.

In other words, to the maximum extent possible, the default position toward new forms of technological innovation such as the Internet of Things should be innovation allowed, or what Paul Ohm, who recently joined the FTC as a Senior Policy Advisor, refers to as an “anti-Precautionary Principle.” This policy norm is better captured in the well-known Internet ideal of “permissionless innovation,” or the general freedom to experiment and learn through trial-and-error experimentation. As I noted in a recent essay here:

Wisdom is born of experience, including experiences involving risk and the possibility of mistakes and accidents. Patience and openness to permissionless innovation represent the wise disposition toward new technologies not only because it provides breathing space for future entrepreneurialism, but also because it provides an opportunity to observe both the evolution of societal attitudes toward new technologies and how citizens adapt to them.

Adaptation Is Not Just Possible but Likely

Which leads to the next major point I make in my filing: Humans adapt! The more I study the history of various technological innovations the more I find the same story unfolding: again and again society has found ways to adapt to new technological changes by employing a variety of coping mechanisms or new social norms. In fact, we see a common cycle of initial resistance, gradual adaptation, and then eventual assimilation of new technologies into society. (I previously outlined this cycle in my law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.”)

I offer several specific examples of this process in action—from the rise of the telephone and the camera to RFID and Gmail. I argue that these examples should give us hope that we will also find ways of adapting to the challenges presented by the rise of the Internet of Things.

Norms Evolve and “Regulate”

Third, my filing discusses how societal norms evolve in response to new technologies and even come to “regulate” acceptable use of those technologies. Law tends to regulate in sweeping ways and then get locked in. Social norms and technological etiquette, by contrast, flexibly evolve in unique ways over time.

Some of these norms or social constraints are more “top-down” and formal in nature in that they are imposed by establishments or organizations in the form of restrictions on technologies. In other cases, these norms or social constraints are purely bottom-up and group-driven. I offer examples of both types of norms in my filing.

Other Remedies Exist or Will Develop as Needed

Finally, I argue in my filing that policymakers should exercise restraint and humility in the face of uncertain change and address harms that develop—if they do at all—after careful benefit-cost analysis of various remedies. I note that many federal and state laws already exist that could address perceived harms associated with these technologies.

And let’s be clear: some misuses and harms will develop, just as they have for every other information technology ever invented. But, to reiterate, we have generally not preemptive applied precautionary regulation to each and every new information technology based on the potential threat of some misuses developing. Instead, we have allowed experimentation and innovation to take place largely unimpeded and then relied on a combination of education, user empowerment, various social norms and coping mechanisms, and then targeted laws as needed after serious harms were demonstrated. That same approach should govern the Internet of Things.

If we succumb to the opposite impulse and apply a “Mother May I?” permissioned approach to the Internet of Things—with innovation only being allowed after regulators deem those technologies “safe” or “acceptable”—then we risk derailing the next great wave of Internet-based innovation. The implications for America’s consumers and our global competitiveness could not be more profound. The result will be fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living.

Hopefully the FTC is not going down that path with this proceeding or its forthcoming workshop on the Internet of Things. But stay tuned. This set of issues is expanding rapidly and promises to produce heated privacy, security, and safety debates for many years to come.

Please read my filing for more details. I’ve also embedded it below.

Comments of Adam Thierer Mercatus Center in FTC Internet of Things Proceeding (June 2013)

Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:

1. First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
2. Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
3. Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

The testimony also contains 4 appendices elaborating on some of these themes.

Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”)

Testimony of Adam D. Thierer before the Senate Committee on Commerce, Science & Transportation hearing…

Some of My Recent Essays on Privacy & Data Collection

1. A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
2. On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
3. Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
4. Two Paradoxes of Privacy Regulation – Aug. 25, 2010
5. Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
6. When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011
7. Lessons from the Gmail Privacy Scare of 2004 – March 25, 2011
8. Who Really Believes in “Permissionless Innovation”? – March 4, 2013 (condensed from Minnesota Journal of Law, Science & Technology law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”)
9. The Problem of Proportionality in Debates about Online Privacy and Child Safety – Nov. 28, 2009
10. Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness– Jan. 5, 2011

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. [Update 4/16: It is now live on the site.] In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

[UPDATE 4/30/13: This article was subsequently published in Volume 65, Issues 2 of the Federal Communications Law Journal in April 2013. The links below now point to the final FCLJ version.]

The Mercatus Center at George Mason University has just released a new paper by Brent Skorup and me entitled, “Uncreative Destruction: The War on Vertical Integration in the Information Economy.”  Brent, who is the research director for the Information Economy Project at the George Mason University School of Law, and I have been working on this paper since the Spring and we are looking forward to getting it published in a law review shortly. The paper focuses on Tim Wu’s “separations principle” for the digital economy, something I’ve spent some time critiquing here in the past. Here’s the introduction from the 44-page paper that Brent and I just released:

Are information sectors sufficiently different from other sectors of the economy such that more stringent antitrust standards should be applied to them preemptively? Columbia Law School professor Tim Wu responds in the affirmative in his book The Master Switch: The Rise and Fall of Information Empires. Having successfully pushed net-neutrality regulation into the policy spotlight, Wu has turned his attention to what he regards as excessive market concentration and threats to free speech throughout the entire information economy.To support his call for increased antitrust intervention, Wu explains his view of competition in the information economy—a view that deviates substantially from current mainstream antitrust theory. First, Wu contends that “information monopolies” are pervasive in the information economy. Wu’s “monopolists” include Facebook, Apple, Google, and even Twitter. In The Master Switch and essays like “In the Grip of the New Monopolists,” Wu argues that these so-called monopolies are increasing their market power and require more aggressive oversight and regulation.Second, Wu argues that traditional antitrust analysis is not sufficient for information systems because they carry speech. He claims, “Information industries… can never be properly understood as ‘normal’ industries,”and traditional forms of regulation, including antitrust enforcement, “are clearly inadequate for the regulation of information industries.”Wu believes that because information industries “traffic in forms of individual expression” and are “fundamental to democracy,” they should be subject to greater regulatory treatment.Third, in contrast to current competition law’s focus on horizontal relationships, Wu desires a reinvigorated regulatory enforcement that addresses “the corrupting effects of vertically integrated power” in the information sectors.He is particularly concerned about private threats to free speech arising from such vertical integration.The solution, he says, is preventing vertical mergers in the information economy and the mandatory divestiture of vertically integrated companies. To implement this, Wu proposes a Separations Principle for the information economy, which would segregate information providers into three buckets, which we have labeled information creators, information distributors, and hardware makers.This article outlines Wu’s separations proposal, explains why his fears regarding vertical relationships should be rejected by regulatory and antitrust policymakers, and illustrates the legal and practical problems his Separations Principle poses. Wu justifies his Separations Principle by citing monopolies and market power in the information economy. He also advocates using U.S. antitrust authorities to enforce his Principle. We argue that the antitrust harms he fears are not present, and we highlight scholarship on the accepted benefits of vertically integrated firms. We show that Wu’s remedies are policy preferences wrapped in the language of competition law. In fact, the information economy is largely competitive and does not warrant interventionist regulatory enforcement. Since much of American economic vitality flows from the information economy and technology, policymakers should reject a radical antitrust remedy like Wu’s preemptive Separations Principle.

The paper can be downloaded from the Mercatus website, SSRN, or Scribd.

The smell of high-tech regulation is increasingly in the air these days and many lawmakers and some activist groups now have the mobile marketplace in their regulatory cross-hairs. Critics make a variety of claims about the wireless market supposedly lacking competition, choice, innovation, or reasonable pricing. Consequently, they want to wrap America’s wireless sector in a sea of red tape.   Two important new studies thoroughly debunk these assertions and set the record straight regarding the state of wireless competition and innovation in the U.S. today. These reports are must-reading for Washington policymakers and FCC officials who are currently contemplating regulatory action.

First, Gerald Faulhaber and Dave Farber have a new report out entitled “Innovation in the Wireless Ecosystem: A Customer-Centric Framework.”  Here’s what Faulhaber and Farber find:

the three segments of the wireless marketplace (applications, devices, and core network) have exhibited very substantial innovation and investment since its inception. Perhaps more interesting, innovation in each segment is highly dependent upon innovation in the other segments. For example, new applications depend upon both advances in device hardware capabilities and advances in spectral efficiency of the core network to provide the network capacity to serve those applications. Further, we find that the three segments of the industry are also highly competitive. There are many players in each segment, each of which aggressively seeks out customers through new technology and new business methods. The results of this competition are manifest: (i) firms are driven to innovate and invest in order to win in the competitive marketplace; (ii) new business models have emerged that give customers more choice; and (iii) firms have opened new areas such as wireless broadband and laptop wireless in order to expand their strategic options.

They continue on to address the policy issues in play here and discuss the “consumer-centric” approach they recommend that the FCC adopt:

Having found that all three segments are highly competitive, we ask, where is the market failure? If none, then the principle of customer-centric applies: let customers make the key decisions regarding which products, services, open vs. managed business models, net neutrality, et al. will survive in the marketplace. While there is no shortage of pundits, advocates, lobbyists and academics advising the FCC that it, rather than customers, should be making these decisions and advising the FCC what those decisions should be, a customer-centric FCC must leave these decisions to customers in a competitive marketplace. Should the FCC decide to preempt customers and make choices for them, it follows as does night from day that the result will be (i) less customer choice, and therefore reduced customer well-being; (ii) higher costs for producers and therefore customers; (iii) lower incentives to invest and innovate, harming customers, producers and the American economy. In this case, economics and technology are on the same page: economists advise intervention only in the case of demonstrated market failure, and then only if there is evidence that the intervention will do more good than harm. The technologist’s advice is more pithy and down to earth: if it ain’t broke, don’t fix it!

Amen to that.  Let’s hope our lawmakers are listening.

Second, Everett Ehrlich, Jeffrey Eisenach, and Wayne Leighton have a terrific new paper out entitled “The Impact of Regulation on Innovation and Choice in Wireless Communications,” which reaches similar conclusions to those Faulhaber and Farber found in their report. Here’s the executive summary from the Ehrlich-Eisenach-Leighton report:

Proposals to increase regulation of mobile wireless services, for example, by applying “net neutrality” regulation, are often based on claims that such regulation would enhance innovation and increase consumer choice. In fact, they would have the opposite effect. The business practices that would be banned by such regulation are efficient mechanisms for spreading and reducing risk, lowering transactions costs, and enhancing marketing activities, all of which contribute to innovation and choice. Moreover, product differentiation increases competition and thus contributes both directly and indirectly to consumer choice. While some types of exclusive agreements and other “discriminatory” practices can theoretically harm competition, the precondition for such harm to occur – i.e., market power in one or more of the affected markets – generally is not present in wireless markets. Hence, the proposed regulations cannot be justified on grounds of market failure. Rather than increasing innovation and consumer choice, as promised, they would severely disrupt the wireless sector’s highly successful business model and significantly reduce innovation and consumer choice.

Like the Faulhaber-Farber paper, the Ehrlich-Eisenach-Leighton paper examines the major segments of the wireless marketplace — applications, devices, and networks — and shows them all to be vigorously competitive and experiencing significant innovation. Some of the following tables and charts help to illustrate this.

This first table shows how concentration ratios for the U.S. market (as measured by HHI) are among the lowest in the world.

The next two charts show that U.S. carriers have the lowest revenue per minute (60% lower than the average OECD country) even though average minutes per use are more than twice the amount of the next highest ranked country (Canada).

Finally, this final chart from their report offers a snapshot of mobile Internet penetration in 16 countries showing the U.S. on top:

Incidentally, the Faulhaber-Farber study also does a nice job listing the various mobile application stores out there today:

Device Manufacturer App Stores Apple’s App Store BlackBerry’s App World Palm’s App Catalog Nokia’s Ovi Store Samsung’s Application Store Sony’s PlayNow arena LG’s Application Store

Software Developers Google’s Android Market Microsoft’s Windows Mobile

Carriers AT&T’s MEdia Mall Verizon Wireless’ Tools & Applications Sprint’s Software Store US Cellular’s easyedge Cellular South’s Discover Center Cricket’s Downloads

Independent Stores Handango GetJar

And the Ehrlich-Eisenach-Leighton paper provides some addition perspective on innovation in the handset and applications space:

On the metrics that seem to be of greatest concern to regulation advocates – choice and innovation – the data also show the industry is performing well. For example, CTIA reports there are more than 630 different wireless handsets and devices available in the U.S., compared with only 147 in the United Kingdom, and notes that many of the most advanced handsets introduced in recent months have been launched in the U.S., including (among others) the iPhone 3G, the Google G1, and the Blackberry Storm. Amazon’s highly popular Kindle was also launched in the U.S. with connectivity provided by Sprint – while its European launch was delayed for a full year by Amazon’s inability to reach agreement with a mobile carrier there. As noted above, the number and variety of available applications is increasing rapidly: In addition to the Apple Apps Store, application downloads are now available from the Android Market (Google), the Palm Software Store, Blackberry App World and the Nokia Ovi Store, offering a total of more than 60,000 different applications. On July 14, 2009 Apple announced that more than 1.5 billion applications had been downloaded from its iPhone App Store since its launch in July 2008.

Actually, that number is even higher now.  As I noted here recently, in just a little over a year, Apple reports there’s been 2 billion downloads of over 85,000 apps from over 125,000 developers.  It’s just stunning when you think about it.

I encourage everyone to read both reports cover-to-cover.  They provide a comprehensive look at the reality on the ground — or in the air, as the case may be — in America’s mobile marketplace.

Google’s new “Interest Based Advertising” (IBA) program represents the company’s first foray into what is generally called “Online Behavioral Advertising” (OBA):  In order to deliver more relevant advertising, Google will begin tailoring ads delivered through AdSense on the Google Content Network (GCN) and YouTube.com (but not Google.com).  This tailoring will be based on a profile of each user’s interests created by tracking their browsing activity across sites that use AdSense-but not search queries or other user information.  Until now, (i) AdSense has delivered essentially “contextual” advertising by choosing which ad to display on a page based on an algorithmic analysis of keywords on that page; and (ii) Google has tracked users’ browsing only for analytics purposes-to limit the number of times a user sees a particular ad (to prevent overexposure) and to allow sequencing of ads in campaigns where one ad must follow another. 

Google is sure to be attacked for crossing a “line in the sand” drawn by some privacy advocates between contextual and behavioral advertising-even though Google’s closest competitor, Yahoo!, already offers a similar program, and the concept in general is hardly new.  Google’s position as the leading search engine and third party ad-delivery network will no doubt cause paroxysms of privacy hysteria among those who consider targeted advertising inherently invasive, unfair or manipulative.

But those whose first priority is advancing consumer privacy, not advancing a political or regulatory agenda, should applaud Google for excluding sensitive categories and for putting the new Ad Preference Manager at the core of the company’s new IBA program.  The Ad Preference Manager sets a new “gold standard” for implementing the principles of Notice and Choice, which have formed the core of both OBA industry self-regulation and the various regulatory proposals made in recent years.  Indeed, Google has done precisely what Adam Thierer and I have called for:  giving consumers more granular control over their own privacy preferences by developing better tools.

How Google’s Ad Preference Manager Works

For years, debates about how OBA should be regulated (whether by industry or by government) have revolved around two key questions: 

• Notice: How should consumers best be informed about the data that’s being collected about them, how it’s being used, by whom, and so on?
• Choice: How should consumers be given the ability to opt-out of tracking for OBA purposes?

While there are significant philosophical disagreements about some aspects of these debates-such as whether the default should be opt-in or opt-out-much of the debate has come down to questions of implementation that may seem trivial or easily-solved to lay people:  Where should notice be provided?  If notice is provided in ads themselves, what should the link say and how big should it be?  By what technological means should users be able to opt-out of tracking?  Google has provided an elegantly simple solution to these questions. 

Google provides “notice” to users in two ways:

• In the ads.  In the bottom left corner of each AdSense ad on sites in the GCN, users will see the URL for the advertiser’s website.  This is already the case for all text ads, but not for display ads.  In the bottom right corner of both display and text ads, users will see an “Ads by Google” link.  Thus, the ad itself provides the user notice of (i) who’s paying for the ad and (ii) who’s serving it. 
• In the Ad Preference Manager.  If the user clicks the “Ads by Google” link, they will see which of the ~20 categories and ~600 subcategories have been associated with the tracking cookie in their browser.  Thus, Google provides notice to the user of what’s in their so-called “digital dossier.”

Google provides “choice” to the user in two ways:

• Editing categories.  The Ad Preference manager not only shows the profile that has been algorithmically assembled of their likely interests, but it lets them decide for themselves which categories they’re really interested in.  If a user finds that they have been placed in the “Automotive > Motorcycles” category but actually owns a SUV, they could select “Automotive > Trucks & SUVs”-or no Automotive category at all.  
• A persistent opt-out.  Users can decide to opt-out completely from having their data collected for IBA purposes.  That choice will be respected in the future, and will therefore be “persistent.”

The Persistent Opt-Out Plug-in

For roughly a decade, the OBA industry has operated under a self-regulatory scheme developed by the Network Advertising Initiative (NAI).  NAI lets users opt-out of receiving ads based on OBA targeting.  But privacy advocates have objected on three grounds:

First, privacy advocates argue that it’s currently too hard for users to find the NAI opt-out tool since users don’t know which ad network is serving which ads and there’s no obvious way to get from an ad to the opt-out option.  Google moots this argument by making its opt-out easily accessible to anyone who clicks on the “Ads by Google” link that appears beneath every IBA-targeted ad.

Second and most importantly, privacy advocates decry NAI’s opt-out because it isn’t “persistent”- i.e., it requires the placement of a special “opt-out cookie” on the user’s computer, which may be inadvertently deleted when users delete all their cookies.  Indeed, many users do precisely that on a regular basis through either their browser or antivirus software-thus erasing their own opt-out choice.  Google moots this argument too:  While Google’s opt-out also relies on a special opt-out cookie, Google has created an easily installed plug-in for the two most common Web browsers, Internet Explorer and Firefox, that ensures that the opt-out cookie is automatically recreated even if a user deletes their cookies.  For the Chrome and Safari Web browsers (which do not support plug-ins), Google has outlined a simple procedure whereby users can achieve the same result.

Third, many critics worry that any cookie-based opt-out mechanism still involves sending data to ad networks that the ad networks could use to track users-despite promises in their privacy policies not to do so.  Even though the FTC can enforce such policies, it may be difficult for users to determine what the ad networks are doing with the data they receive from users that have opted out of tracking.  Although Google’s system seems to be no different in this regard from how other NAI member companies handle opt outs, truly privacy-sensitive users could easily address this concern by configuring their Web browser to not send any data to these networks and/or not allow any persistent cookies, as we’ve discussed in our Privacy Solutions Series.   

A Superior Solution to a “Do-Not-Track” Registry

The privacy advocates who lambaste the inadequacies of the NAI opt-out system have demanded the creation of a government-run “Do-Not-Track” registry loosely modeled on-but very different in practice from-the FTC’s Do-Not-Call registry, by which over 170 million Americans have opted out of receiving telemarketing calls.  Google’s Ad Preference Manager provides a better system.

First, it proves that the “persistency” problem can be solved.  In fact, since Google’s plug-in is open source, these privacy advocates may be able to use it to create a browser plug-in that works for opt-out cookies from other NAI member companies.  Indeed, given how simple Google’s plug-in is, one wonders why they didn’t do this when NAI’s Opt-Out Tool was first made available.  Perhaps the technologists at these organizations have spent a little too much time developing elaborate regulatory solutions and too little time focusing on empowering users.  Or perhaps these organizations simply decided that creating such a tool would undercut their argument that only government intervention could protect users’ privacy.  Ironically, some of the organizations pushing Do-Not-Track have joined us in emphasizing the effectiveness of user empowerment tools in other contexts-such as online child protection, where parental control software offers a more effective alternative to government regulation of Internet content that also does less to restrict constitutionally protected speech.  Even more ironically, their Do-Not-Track proposal specifically calls for the development of browser-based tools to implement the government-maintained Do-Not-Track database.  In an era when anyone can write a browser plug-in that can achieve wild popularity (such as the roughly 43 million downloads of the Firefox plug-ins AdBlock Plus and NoScript), these advocacy organizations have little excuse for not practicing what they preach. 

Second, Google has set a new standard in both Notice-by including a link to the opt-out in every ad-and Choice-by respecting user’s opt-out preferences.  Other ad networks now face intense pressure to catch up with, or outpace, Google by implementing the same kind of Notice and Choice.  Indeed, NAI will now be expected to improve its own opt-out system with a browser plug-in capable of preserving opt-out preferences for all of its members’ ad networks.  To the extent that this plug-in might work better with cooperation from the ad networks, that cooperation should now be more forthcoming than ever. 

Third, if these privacy advocates’ real objection to any cookie-based opt-out system-whether the NAI opt-out tool or Google’s plug-in-is uncertainty as to whether opt-out preferences would really be respected by ad networks that continue to collect tracking data (as discussed above), who better than Google to lead the market in setting higher standards for privacy protection?  Ultimately, these standards will be, and should be, enforced by the FTC under its existing authority to punish unfair and deceptive trade practices.

What This Episode Says About Google

Some privacy advocates will argue that Google is just too big-and therefore too “scary”-to be allowed to engage in OBA, and may try to paint Google’s entry in the OBA marketplace as a net loss to privacy, notwithstanding the extremely pro-privacy way in which Google has implemented its “IBA” service.  But if this incident demonstrates anything about Google, it’s the following:

First, it’s no accident that Google is now leading the pack of third party ad networks by developing innovative solutions that respect consumer privacy.  Unlike most third party ad networks, Google is directly focused on the demands of consumers:  In addition to the ad network they acquired from DoubleClick, of course, Google offers consumers a wide array of other online services (search, email, maps, etc.).  Because these services (and their competitors) are all free, Google has to compete in what economists call “non-price terms”-such as privacy.  So, Google has a lot to lose by alienating its users and a lot to gain by being seen as a leader in privacy protection.  Would an independent DoubleClick have taken so much care to address privacy concerns?  As the developer of a competing search engine once said about the Internet search industry, ”you earn your right to be in business every day, page view after page view, click after click.”  

Second, it’s no accident that Google was a late-comer to the OBA market, lagging behind Yahoo! in particular.  The most likely reason Google has taken its time in rolling out an OBA product is that Google is subject to a unique level of scrutiny by privacy advocates by virtue of its size.  Being the “big kid on the block,” Google has to be especially careful not to appear to be “Big Brother.”  This reputational check on Google should allay some concerns about Google’s size.

Third, this episode also demonstrates the advantages of having a player like Google large enough to be able to singlehandedly set a new paradigm in privacy protection.  Google risks alienating some advertisers and publishers with its bold empowerment of users, but was willing to take those risks because of its incentives as a consumer-facing company and able to do so because of its leadership in the marketplace.  Uncomfortable as this reality may be for those who fret about antitrust issues and indeed for Google itself, the simple reality is that sometimes it takes “big dogs” to make self-regulatory systems truly effective.  For example, the video game industry’s highly effective content rating system has worked because the titans in that field were big enough to push through a tough system and keep it working.  Similarly, Microsoft has led the way for years in empowering users by offering in Internet Explorer the most sophisticated cookie management tools available in any browser, as we’ve discussed.  In a nutshell, privacy leadership requires scale. 

Conclusion

Google’s Ad Preference Manager, with its persistent opt-out plug-in, offers precisely the kind of robust opt-out that privacy advocates have always demanded.  Google deserves a rousing “Amen!” from privacy advocates.  But those who respond to this program by insisting that “more needs to be done on how to educate people and tell them how to opt out,” are right in two senses.  First, Google has shown other ad networks how to do more to empower users.  I am confident that they will rise to that challenge by continuing to refine self-regulation through technological innovation.  Second, this is by no means the last word in privacy protection from Google, which operates in the midst of continually-evolving privacy standards.  I expect Google and competing ad networks will continue to innovate in developing technologies that empower users to manage their own privacy-and that this competitive “race to the top” will improve online privacy protection in a broader sense beyond just advertising by putting pressure on other online service providers to improve their privacy practices and policies.

But I fear that too many privacy advocates will instead see this as just another reason for the government to intervene-perhaps because of fear of Google engaging in OBA or  because they think the government, not Google, should be developing privacy solutions.  Or perhaps they think Google’s system shows that a system of government-mandated solutions really could work.  To the contrary, Google’s approach is precisely the kind of innovation that would be discouraged by pre-emptive government regulation.  Worse, those who would freeze privacy protection in place would also freeze in place much of the Internet itself, precluding development of new business models that would compete with Google, allaying concerns about competition and benefiting consumers.  Why preclude broadband providers, for example, from figuring out how to deploy ad-targeting technologies in a manner that does as much to empower users with better privacy controls as Google has-especially when this could create a new source of funding for “free” content and services and even discounts on broadband? 

I hope instead that the effectiveness of Google’s approach will shift the policy debate about protecting user privacy back to an emphasis on the layered approach Adam Thierer and I have outlined, supplementing consumer education, industry self-regulation, existing state privacy tort laws, and  FTC enforcement of corporate privacy policies with increasingly powerful technological “self-help” tools that allow privacy-wary consumers to take privacy into their own hands.

Of the titles I included in a mega-book review about Internet optimists and pessimists that I posted here a few months ago, I mentioned Lee Siegel’s new book, Against the Machine: Being Human in the Age of the Electronic Mob.  It is certainly the dourest of the recent books that have adopted a pessimistic view of the impact the Internet is having on our culture, society, and economy. Because Siegel’s book is one of the most important technology policy books of 2008, however, I decided to give it a closer look here.

Siegel’s book essentially picks up where Andrew Keen’s leaves off in Cult of the Amateur: How Today’s Internet is Killing our Culture (2007).  I posted a two-part review of Keen’s book here last year [Part 1, Part 2], but here’s a quick taste of Keen’s take on things.  He argues “the moral fabric of our society is being unraveled by Web 2.0” and that “our cultural standards and moral values are not all that are at stake.  Gravest of all,” Keen continues, “the very traditional institutions that have helped to foster and create our news, our music, our literature, our television shows, and our movies are under assault as well.”

As I noted in my earlier “Net optimists vs. pessimists” essay, after reading Cult of the Amateur, I didn’t think anyone else could ever be quite as over-the-top and Chicken Little-ish as Keen. But after working my way through Siegel’s Against the Machine, I realized I was wrong. It made Keen seem downright reasonable and cheery by comparison! Keen and Siegel seem to be in heated competition for the title “High Prophet of Internet Doom,” but Siegel is currently a nose ahead in that race.

Keen and Siegel are both essentially channeling the ghost of the late Neil Postman, the one-time dean of the modern school of techno-pessimism. Postman’s 1992 book Technopoly: The Surrender of Culture to Technology, was the first major anti-Digital Age diatribe and it remains the reigning champion of anti-technology screeds. “Information has become a form of garbage,” Postman argued, “not only incapable of answering the most fundamental human questions but barely useful in providing coherent direction to the solution of even mundane problems.” If left unchecked, Postman argued, America’s new technopoly — “the submission of all forms of cultural life to the sovereignty of technique and technology” — would destroy “the vital sources of our humanity” and lead to “a culture without a moral foundation” by undermining “certain mental processes and social relations that make human life worth living.”

Although Lee Siegel doesn’t bother citing him, he owes much to Postman’s brand of social criticism. Indeed, in large part, Siegel is simply bringing Postman’s critique of the Information Age up to date. Like Postman and Keen, Siegel is concerned about the “destructive side” of the Internet and the Information Age, which they all feel is being overlooked. Specifically, the attack these authors mount on the Information Age and the Net can be boiled down to two major themes:

1. The Net is destroying (or at least greatly diminishing) the role of experts, authority, “truth”, and traditional societal norms and institutions. This is having (or eventually will result in) dangerous ramifications for our culture, economy, and democracy.
2. The personalization and customization that the Information Age and the Internet have spawned is an unambiguously negative development for our society and culture. Moreover, in large part, the entire Web 2.0 experience is largely just about commercial interests furthering their ends.

Let’s take a closer look what Siegel says about each.

Experts, Authority, and “Truth”

Like Postman and Keen, Siegel doesn’t mix words when it comes to his contempt for the disintermediating influences of modern information technology. He is particularly concerned about the loss of “truth” and “authority” in our new environment. “Culture needs authoritative institutions like a powerful newspaper; it needs them both to protect its critical, independent spirit and to make sure that culture’s voices heard in the louder din of more powerful economic and political entities.” (p. 140-1) By empowering the masses to have more of a voice, Siegel says, “unbiased, rational, intelligent, and comprehensive news… will become less and less available.” (p. 165) “[G]iving everyone a voice,” he argues, “can also be a way to keep the most creative, intelligent, and original voices from being heard.” (p. 5)

Like many other Net skeptics, Siegel views Wikipedia, YouTube, blogs, and almost all user-generated content with a combination of confusion or contempt. “[S]elf-expression is not the same thing as imagination” or art, he argues. (p. 52)  Instead, he regards the explosion of online expression as the “narcissistic” bloviation of the masses and argues it is destroying true culture and knowledge. “Under the influence of the Internet,” he says, “knowledge is withering away into information.” (p. 152) Our new age of information abundance is not worth celebrating, he says, because “information is powerlessness.” (p. 148).

One reason Siegel gets nostalgic about the age of scarcity is because elites like him — and others who were lucky enough to have access to mainstream media — had a more privileged place in the old media world.  As a social / cultural critic, he can’t be happy with all the competition he now faces in that field from the blogosphere and online media outlets.

But it’s difficult to sympathize with Siegel’s position that others should be excluded from having a voice now in an effort to preserve the old order. After all, for the past seven decades, public policy has largely been preoccupied with getting society out of the scarcity mess (even though public policy created much of that mess!) by ensuring that citizens had more choices and outlets. Now that we have more options, some people like Keen and Siegel aren’t happy about the fact that the hoi polloi have been empowered. But, even if some traditional institutions lose the dominant position they once held in society, plenty of “authoritative” and “professional” media options and outlets continue to exist. Our new Information Age simply empowers millions of other voices to join the conversation and offer alternative perspectives and input.

But Siegel also disputes what he regards as such romanticized notions of “online participation” and “personal democracy.” To him, everyone is just in it for the money. “Web 2.0 is the brainchild of businessmen,” and the “producer public” is really just a “totalized ‘consumerist’ society.”  But what about all those bloggers who (like me!) are in it for the love of the conversation and debate?  Well, says Siegel, we just don’t realize the harm we are doing by trying to have our say!  “[T]he bloggers are playing into the hands of political and financial forces that want nothing more than to see the critical, scrutinizing media disappear.” (p. 141) And as for those true believers and Net evangelists who believe that something truly exciting is happening with our new online conversation, according to Siegel, they are simply “in a mad rush to earn profits or push a fervent idealism.” (p. 25-6)

It’s difficult for me to imagine anything more insultingly stupid than those last two statements.  The insulting part about them is that Siegel is essentially telling us all to shut up!  We all need to put down our pens — or, rather, our keyboards — and understand that we are doing great harm to those journalists, institutions, or other enlightened few who are really providing the “critical, scrutinizing” function so essential for a healthy democracy and culture. It’s just blatantly elitist for Siegel to suggest that only a select few have any business sharing their views with the world, and he even acknowledges that several times in the book. But he wears that elitist tag like a badge of honor as he stares down his nose at the newly empowered masses, snorting in disgust at everything he sees.

And the stupid part about those statements above is that the vast majority of bloggers or online participants are absolutely not in it for the money, or even out to take down mainstream media. They just want to be heard. But, again, Siegel believes that what you all have to say is not worth hearing anyway.

The Supposed Perils of Personalization

Indeed, Siegel’s primary gripe with the Web 2.0 world is that while most of us appreciate the growing personalization of information and content as well as the increasingly participatory nature of the Internet, he sees that as an unmitigated evil.  “The Internet is the first social environment to serve the needs of the isolated, asocial individual.” (p. 6)  The “Daily Me” (personalized, instantaneously delivered content) that Nicholas Negroponte predicted and longed for in his prescient 1995 book Being Digital, is viewed by Siegel as nothing more that the creation of a “narcissistic culture” in which “exaggeration” and the “loudest, most outrageous, or most extreme voices sway the crowd his way; the cutest, most self-effacing, most ridiculous, or most transparently fraudulent of voices saw the crowd of voices that way.” (p. 79)  He goes so far as to refer to it as our “democracy’s fatal turn” in that, instead of “allowing individuals to create their own cultural and commercial choices,” Web 2.0 has instead created “a more potent form of homogenization.” (p. 67)

In this regard, Siegel is channeling another Net skeptic, the prolific Cass Sunstein of the University of Chicago Law School.  In his 2001 book Republic.com, Sunstein also referred to Negroponte’s “Daily Me” in contemptuous terms, saying that the hyper-customization of websites and online technologies was causing extreme social fragmentation, isolation, and alienation, and could lead to political extremism. “A system of limitless individual choices, with respect to communications, is not necessarily in the interest of citizenship and self-government,” he wrote. As I said in my review of his book in Regulation magazine that year, Sunstein was essentially saying that the Internet is breeding a dangerous new creature: Anti-Democratic Man. “Group polarization is unquestionably occurring on the Internet,” he proclaimed, and it is weakening what he called the “social glue” that binds society together and provides citizens with a common “group identity.” If that continues unabated, Sunstein argued, the potential result could be nothing short of the death of deliberative democracy and the breakdown of the American system of government.

Siegel continues this line of reasoning in Against the Machine but, like Sunstein, completely fails to offer anything more than a few random anecdotes in defense of their thesis that the Net is leading to close-mindedness, homogenization, and the death of deliberative democracy. Worse yet, they also both completely fail to look at the other side of the story, which is that the Internet and Web 2.0 may be having the exact opposite effect. I made that argument in my 2005 book, Media Myths: Making Sense of the Debate over Media Ownership (p. 39):

The reality is that citizens do face an overwhelming number of media choices today, and that probably does make it somewhat more difficult for them to have “shared experiences” involving any individual news or entertainment program. But that isn’t really such a lamentable development. Government need not take steps to make sure everyone watches or listens to the same programs each night so they can all talk about them around the watercooler at work the next day. It’s just as good that everyone can discuss something different that they saw or heard the night before. And the very fact there are so many distinct media options available to citizens is better for a healthy democracy than a limited range of media options. Again, regardless of who owns what, the fact remains that we have more sources of news, communications, and entertainment than ever before in this country. Still, some media critics wax nostalgic about a mythical time — a supposed “Golden Age” of newspapers, radio, or television — when the populace was more closely linked or unified in some grand sociological sense by common reporting or programming options. But that is a stretch. The days when William Randolph Hearst dominated media, or when only three TV networks brought us our news at a set time each night, could hardly be labeled the “Golden Age” of those respective mediums. If that’s the world media critics want us to return to, then this represents, as Jonathan Knee argues, “an argument for homogeneity hiding under the pretext of diversity.”

And, indeed, that’s exactly what Siegel is proposing in his book, as Keen also does in his. They want to roll back to clock and return us to the mythical “good ‘ol days” of media. Again, when were those days? I simply cannot fathom how anyone can claim that the age of media scarcity — with its limited outlets and opportunities — was truly better than the world we find ourselves in today. As I noted in the first part of my two-part review of Keen’s book, which was entitled “Why an Age of Abundance Really is Better than an Age of Scarcity”:

What Keen doesn’t seem willing to tolerate is that when everyone has a voice, a lot more silly things are going to be said and heard. Back in the days before we all had our own soapboxes (websites, blogs, social networks, YouTube posts, etc.) we all had opinions, but we had few ways to get those opinions out. Now that the Internet has become the great leveler and given everyone the ability to be a one-person newspaper or broadcaster to the world, the dream of a more fully empowered citizenry is slowly becoming a reality. The upside is that everyone gets an equal chance to be heard. But the downside is that everyone gets an equal chance to be heard! That is, with the good comes some bad. There are wonderful contributions to culture and human communications being made by average Joes and Janes across the globe because of the Web. But let’s face it, there’s a lot of crap out there too. Cutting through the cultural clutter can been a real challenge, and even with the best search tools in the world at your disposal, it can still be difficult to find that diamond in the rough. But aren’t we better off as a society because of the opportunities now at our disposal? Isn’t an age of media and cultural abundance — warts and all — still preferable to the age of scarcity which preceded it?

I believe it is. And as I concluded in my review of Keen’s book, which seems like an equally sensible way to conclude this review of Lee Siegel’s tedious screed:

I think we are definitely better off because of this seismic shift in our communications and media environment. The human conversation is more diverse than ever before, and we have been empowered to experience the full range of culture and human creativity (for better and for worse!)